Even before the events of 2020, many organizations struggled to maintain effective security operations programs. With growing numbers of workloads moving to the cloud, IT ecosystems were becoming increasingly complex and distributed. At the same time, widespread adoption of DevOps practices led software release cycles to become shorter and shorter. In conjunction with the cloud’s ephemerality, this meant that organizational computing environments were increasingly dynamic and ever-changing.
Not only had attack surfaces grown, but business-critical operations had become increasingly reliant upon digital technologies, making the potential consequences of an incident or breach more serious. With the expansion of the attack surface came a corresponding increase in the number of logs and telemetry sources from the environment that SecOps teams were tasked with monitoring.
Today, digital business processes are more critical to the bottom line than ever, while sweeping adoption of hybrid and work-from-home policies is further expanding the attack surface. In the face of this constellation of challenges, legacy security architectures built from an expansive array of point solutions operating in siloed fashion can no longer keep up. Security Information and Event Management (SIEM) platforms tend to be inefficient & clunky and weren’t designed to provide analysts with highly relevant background or the contextual information needed to make good decisions in real time.
The Limitations of SIEM in the Modern Threat Landscape
XDR was developed to solve these problems.
Though multiple definitions of the term exist, we favor the one advanced by 451 Research. According to this definition, extended detection and response is a technology approach that involves combining a pre-built integration of multiple security telemetry sources with analytics and response capabilities.
In many security programs, SIEM solutions were brought in to house event logs from a broad array of security tools, operating systems, applications and network appliances. SIEM enabled analysts to correlate and search this log data, but often didn’t provide analysts with adequate real-time visibility into activities taking place on endpoints, where a majority of threat actors make their initial foray into the environment. Hence, SecOps programs began adopting purpose-build endpoint detection and response (EDR) tools. EDR gave them the ability to gather data directly from endpoint devices to support threat detection and investigation, as well as to execute certain response actions. EDR’s limitation, however, is that its detection and response capabilities are confined exclusively to the endpoint.
XDR provides next generation detection and response capabilities, extending the enhanced visibility and threat containment functionality that NDR and EDR offer across the entirety of the IT ecosystem. XDR brings context to external threat intelligence and to the internal business environment by synthesizing data from synthesizing security telemetry including network, endpoint, cloud, email, identity, the Internet of Things (IoT) and more.
Born of the need for complete attack surface visibility in today’s distributed and heterogeneous computing ecosystems, XDR finds patterns within the data ingested to aid threat detection, reduce false positives and automate threat response & remediation. This makes it a powerful source of efficiency and value for high-performing security teams. With the best approaches to XDR, there’s enough contextual information from the customer’s environment – and adequate understanding – to be able to contain threats confidently. This containment can be automated, knowing that the process won’t interrupt critical business operations unnecessarily.